Overview

overview

10

Static

static

8

Kiki

windows7_x64

10

Resubmissions

17-12-2020 18:23

201217-a919dkygg2 10

03-12-2020 14:36

201203-xg2dt64s3j 10

Analysis

  • max time kernel
    90s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17-12-2020 18:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    document-1699807874.xls

  • Size

    111KB

  • MD5

    dea2166519409b96205775cc95abab6e

  • SHA1

    a70da2919e3f81d3fd397435649097e296605536

  • SHA256

    52e0b5d39e9a97736b03f2b0ac315bb874da3632574cdd252fd8b9138cc1b299

  • SHA512

    28f317f53ace16c4c6ffc701fad325eebc0dc54c85477cfd9b27d1cbd809b1df128fa235b72c7db7927618adca29440a54c194f97cdb8f38bc98220200f24b1c

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://p-clone.net/ds/021220&C51

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-1699807874.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 -s C:\gnbft\chtfj.dll
      2⤵
      • Process spawned unexpected child process
      PID:640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/640-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1540-2-0x000007FEF5E90000-0x000007FEF610A000-memory.dmp
    Filesize

    2.5MB

    Download